Ending the culture of silence in cyber security
– 3 ways to empower teams

Mark Lomas, technical architect, Probrand

Cyber Threat

Nearly all of us have made a mistake at work that has made our stomach flip. Perhaps it was an accidental ‘reply all’ on an email or a rogue purchase of office supplies without obtaining the right permissions. The natural response is to rectify the mistake as quickly as possible before it becomes noticed. Although there is sometimes a temptation to stick our head in the sand and ignore it completely.

In most cases, these slip-ups can be smoothed over and corrected without much lasting damage. The same cannot be said for a cyber breach, where the stakes are much higher.

When you consider that almost a third of UK businesses are attacked at least once a week – and that each breach costs around £4,000 on average – you could be forgiven for seeing why staff may shy away from owning up to a mistake. This is a serious problem. A recent report revealed that 41% of breaches are not reported to internal leadership.

Whether it’s accidentally clicking on a dodgy link or bypassing a security defence out of frustration, mistakes happen. Should this happen, early detection is crucial in mitigating the damage and recovering as quickly as possible. But, for this to happen, staff need to feel safe in speaking up when they think something may have gone wrong.

Here, Mark Lomas, outlines three ways organisations can create a blame-free culture that empowers teams to prepare for – and recover from – an attack.

1) Tailored, relevant training

Before an attack even takes place, it’s important to equip your team with the skills to recognise when something looks wrong. Regular training is one of the most effective techniques to set staff up for success and help them to adopt a ‘zero trust’ mindset.

It’s important that this training evolves so it remains relevant to the increasingly sophisticated type of attacks we’re now seeing. For example, a cyber training session five years ago might have focused on identifying the telltale signs of a ‘spoof and spam’ email. Of course, this is still a threat, but staff also need to be trained on modern methods, which include the use of AI-generated content to deceive individuals into unwittingly downloading disguised malware.

Another type of training that is especially effective in helping to prepare employees for common exploits is simulated attacks. This isn’t about catching people out; it’s about pinpointing any weak spots and identifying any areas where employees may need additional support.

2) A safe zone for admitting mistakes

While effective training is important, organisations must acknowledge that you can’t ‘train out’ every mistake that might be made. To think otherwise is a dangerous strategy that serves no-one. So, in addition to training, organisations need to create a culture where staff aren’t afraid to speak up should the worst happen.

This should make the process of communicating a breach less daunting. Consider using a dedicated portal where staff can report any issues and where anything immediately dangerous can be escalated.

The worst scenario is where staff don’t say anything, and the problem gets worse. If attackers aren’t met with any resistance, it can give them the encouragement they need to return and carry out another attack. But, if staff have an environment to speak up without fear or repercussion, you can avoid this scenario.

Discover how to train employees to recognize threats in Three Cybersecurity Threats Your Employees Need to Know.

3) Getting back on your feet

Finally, if people do trip and fall, is there a safety net there to catch them? It’s important to look at the processes and solutions you have in place should this happen. A lot of this can be covered off with careful planning.

For example, how will each part of the business keep on functioning until a clean-up can be carried out? What are your legal obligations in terms of informing customers? Depending on the nature of the breach, you may also need to inform authorities like the Information Commissioner's Office (ICO). Staff will automatically feel better if they know there is a playbook and a plan to recover from each scenario.

By following these steps, businesses can create an environment where staff aren’t sitting on their hands, waiting to report an incident. Organisations can instead proactively mitigate the threats they face and build confidence around their approach to its security.

Explore how to strengthen your defenses with Proactive IT Support Strategies.